GSS-API and libkrb5 behavior for Anonymous tickets
ghudson at MIT.EDU
Wed Nov 4 16:43:23 EST 2009
On Wed, 2009-11-04 at 16:13 -0500, Sam Hartman wrote:
> However, I disagree fairly strongly unless this is going to be
> accompanied by an update to 2743. My argument is that it breaks
> conforming GSS-API applications. If I'd prefer anonymous but would be
> willing to accept an authenticated context, then I would end up
> failing with your mechanism. If I'm writing a portable application I
> have to check the output flag anyway, even if some mechanisms do offer
> this behavior.
I agree with Sam. I don't see any point in providing safety that
applications can't rely on. It seems like it would only encourage apps
to improperly rely on gss-krb5's safety and then be unsafe if used with
a different mechanism.
More information about the krbdev